Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30/11/2024, 02:40
General
-
Target
b471a54046eedc5d39eb2097fa738bff_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
b471a54046eedc5d39eb2097fa738bff
-
SHA1
14c139798a76b5558aa337b8ee7347c199bb503e
-
SHA256
c49431ce8bca1ad641c0a626e1c49f63a37760626ea2986caaafb9ea1b8eb594
-
SHA512
8bb805a82d9d2d40e88fbc67d1aa7d4fd44ed01b0c44808bef0f5520d959266bd978f78c8a2412e148490b4b427691c9ee0bd3e820c5b9e223b3ea2e7513387c
-
SSDEEP
24576:NsyGt8Qzhs5XMD/ydu+9Hv4gAh4RX/lUztGejw7RieanaVyY6sml2DmjC4J:NsTt8Es5cbyUAH2EX/At2Yeana5mAaX
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 30 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Themida packer 31 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b471a54046eedc5d39eb2097fa738bff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b471a54046eedc5d39eb2097fa738bff_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD543f3cf231d8726f5557e2291599658d2
SHA1e76951e9139d0dfcfd598053a3306042fb4baca4
SHA25676d199d75d8007f8a08ff16263f9649fc24db103751bf8a42bb133e1c6fc5234
SHA51237ae45b2f751656f3e5e53ad34688eefe2b7404be8bd3cce1ba7a8a563d4bac03791db39203bcfb70208bdd6356f7f06b72764c5a8033f85194b55200b825ed5
-
Filesize
1.5MB
MD5b471a54046eedc5d39eb2097fa738bff
SHA114c139798a76b5558aa337b8ee7347c199bb503e
SHA256c49431ce8bca1ad641c0a626e1c49f63a37760626ea2986caaafb9ea1b8eb594
SHA5128bb805a82d9d2d40e88fbc67d1aa7d4fd44ed01b0c44808bef0f5520d959266bd978f78c8a2412e148490b4b427691c9ee0bd3e820c5b9e223b3ea2e7513387c
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
108KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB